I’ve written about EITest gate for the last couple of months and there really hasn’t been that many notable changes. Below is a sample that I collected from my lab after visiting a compromised site containing the injected EITest script:

Here we can the injected script containing the EITest gate URL. Not a surprise to any security professionals to see the .top TLD being used here. Just take a look at all this history of garbage:

Again, the .top gTLD (introduced November 18, 2014) is one of the more dirty gTLDs with more than half of its domains being categorized as bad:

Looking at my SIEM I see that ET managed to correctly identify the malicious traffic. Notice how ET categorized the .top gTLD as a “Firesale”. I’m guessing this is because the .top gTLD are very cheap and thus very attractive for the bad guys.

As usual with the EITest gate we see the GET request for the SWF redirect:

VirusTotal is categorizing this SWF file as a flash exploit, however, with a rather low detection ratio of 1/52 (as of 8/10/16).

The Flash redirect then makes a GET for the EITest gate URL. Notice how the GET request is supposedly for a .png called “hlb.png”. In actuality it returns an HTML file (HTML/Neutrino.b) 507 bytes in size containing JavaScript designed to redirect to the host to the Neutrino Exploit Kit landing page:

Below is the GET request for the Neutrino Exploit Kit landing page followed by the GET request for the Neutrino SWF exploit:

Again, we see another GET request but as always it returns a “malformed packet”:

The Neutrino EK SWF file is designed to fingerprint the system and then if it’s vulnerable the same SWF is used to exploit the system. Lastly we see a GET for the payload however it is encrypted or obfuscated:

HTTP objects pulled from the PCAP:

After the payload is dropped we can start to see the initial three-way handshake with the CryptMIC C2 via TCP port 443. Notice again how the ransom note is being sent over in clear text:

I recommend blocking both the EITest gate IP and Neutrino EK IP at your firewall(s).